revengerat | e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5

Analysis

max time kernel
144s
max time network
164s
platform
windows7_x64
resource
win7-20220331-en
submitted
30-03-2022 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exe
Size

79KB
MD5

96a5e45ae95a2b95428c001d8a6bb7b1
SHA1

40aa7869c871a2cab6a96264cca8dabe5a5aef96
SHA256

e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5
SHA512

0e62c21b74771f7ea486c61d1e301641a346b3e929f68e98be8949d3e13734e2e0c06ac43a77dea319da9e51be6c89017c209936a19c61616b8e9ba057d2bffa

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 9 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\GrieferGames.exe	revengerat
C:\Users\Admin\AppData\Roaming\GrieferGames.exe	revengerat
behavioral1/memory/1156-62-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral1/memory/1156-63-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral1/memory/1156-64-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral1/memory/1156-65-0x000000000040F91E-mapping.dmp	revengerat
behavioral1/memory/1156-67-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
C:\Users\Admin\AppData\Roaming\GrieferGames.exe	revengerat
behavioral1/memory/1440-96-0x000000000040F91E-mapping.dmp	revengerat

Executes dropped EXE 2 IoCs

Processes:

GrieferGames.exeGrieferGames.exe

pid process

1364 GrieferGames.exe
428 GrieferGames.exe
Drops startup file 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GrieferGames.exe vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1364	GrieferGames.exe
428	GrieferGames.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GrieferGames.exe	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Griefergames = "C:\\Users\\Admin\\AppData\\Roaming\\GrieferGames.exe"	InstallUtil.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

GrieferGames.exeInstallUtil.exeGrieferGames.exeInstallUtil.exe

description	pid	process	target process
PID 1364 set thread context of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1156 set thread context of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 428 set thread context of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 1440 set thread context of 1884	1440	InstallUtil.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1072 schtasks.exe

pid	process
1072	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exeGrieferGames.exeInstallUtil.exeGrieferGames.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1892	e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exe
Token: SeDebugPrivilege	1364	GrieferGames.exe
Token: SeDebugPrivilege	1156	InstallUtil.exe
Token: SeDebugPrivilege	428	GrieferGames.exe
Token: SeDebugPrivilege	1440	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exeGrieferGames.exeInstallUtil.exevbc.exetaskeng.exeGrieferGames.exeInstallUtil.exe

description	pid	process	target process
PID 1892 wrote to memory of 1364	1892	e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exe	GrieferGames.exe
PID 1892 wrote to memory of 1364	1892	e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exe	GrieferGames.exe
PID 1892 wrote to memory of 1364	1892	e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exe	GrieferGames.exe
PID 1892 wrote to memory of 1364	1892	e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exe	GrieferGames.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1364 wrote to memory of 1156	1364	GrieferGames.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 2044	1156	InstallUtil.exe	InstallUtil.exe
PID 1156 wrote to memory of 1584	1156	InstallUtil.exe	vbc.exe
PID 1156 wrote to memory of 1584	1156	InstallUtil.exe	vbc.exe
PID 1156 wrote to memory of 1584	1156	InstallUtil.exe	vbc.exe
PID 1156 wrote to memory of 1584	1156	InstallUtil.exe	vbc.exe
PID 1584 wrote to memory of 924	1584	vbc.exe	cvtres.exe
PID 1584 wrote to memory of 924	1584	vbc.exe	cvtres.exe
PID 1584 wrote to memory of 924	1584	vbc.exe	cvtres.exe
PID 1584 wrote to memory of 924	1584	vbc.exe	cvtres.exe
PID 1156 wrote to memory of 1072	1156	InstallUtil.exe	schtasks.exe
PID 1156 wrote to memory of 1072	1156	InstallUtil.exe	schtasks.exe
PID 1156 wrote to memory of 1072	1156	InstallUtil.exe	schtasks.exe
PID 1156 wrote to memory of 1072	1156	InstallUtil.exe	schtasks.exe
PID 1648 wrote to memory of 428	1648	taskeng.exe	GrieferGames.exe
PID 1648 wrote to memory of 428	1648	taskeng.exe	GrieferGames.exe
PID 1648 wrote to memory of 428	1648	taskeng.exe	GrieferGames.exe
PID 1648 wrote to memory of 428	1648	taskeng.exe	GrieferGames.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 428 wrote to memory of 1440	428	GrieferGames.exe	InstallUtil.exe
PID 1440 wrote to memory of 1884	1440	InstallUtil.exe	InstallUtil.exe
PID 1440 wrote to memory of 1884	1440	InstallUtil.exe	InstallUtil.exe
PID 1440 wrote to memory of 1884	1440	InstallUtil.exe	InstallUtil.exe
PID 1440 wrote to memory of 1884	1440	InstallUtil.exe	InstallUtil.exe
PID 1440 wrote to memory of 1884	1440	InstallUtil.exe	InstallUtil.exe
PID 1440 wrote to memory of 1884	1440	InstallUtil.exe	InstallUtil.exe
PID 1440 wrote to memory of 1884	1440	InstallUtil.exe	InstallUtil.exe
PID 1440 wrote to memory of 1884	1440	InstallUtil.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exe
"C:\Users\Admin\AppData\Local\Temp\e7855638115e51828aff2dde97a967409c118d1c7c883de968a35b06b61624b5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Roaming\GrieferGames.exe
  "C:\Users\Admin\AppData\Roaming\GrieferGames.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r5shqcbh\r5shqcbh.cmdline"
      4⤵
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc150E3AC6CA5847FCBF6A6CBDF7D66160.TMP"
        5⤵
        
        PID:924
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 2 /tn "mscvrrll.exe" /tr "C:\Users\Admin\AppData\Roaming\GrieferGames.exe"
      4⤵
      Creates scheduled task(s)
      PID:1072

C:\Windows\system32\taskeng.exe
taskeng.exe {77F1994F-6EEC-4380-91CD-FED3D8193C37} S-1-5-21-594401021-1341801952-2355885667-1000:KORIIBGY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Roaming\GrieferGames.exe
  C:\Users\Admin\AppData\Roaming\GrieferGames.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAB6D.tmp

Filesize
1KB

MD5
6f6c599921ccf738cd592bd646efe304

SHA1
9af610282551693b6d195fe9a1d0da4d78d0c565

SHA256
cc2a36eaa6efae79709628ab2e483730828a57bfd76f148d2baeb8b685852d21

SHA512
3db527057dca4c7c6c93375643d855d799ebcd0504a04a9831ce1e52edb1f79e91ec2c8c2ed15e1327fdf6242d0511e4e992b02e0168109322552fa51dc31a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvZwfRt.txt

Filesize
47B

MD5
cc34155d2a78c6079f8b82b04d210759

SHA1
cc33343474ecbb6544835769dacb465d5ad2963d

SHA256
0315f7a57bd4b29fe2c12936f91d154bddb0b647a03f1f762f1e7a6e67dd0244

SHA512
06394021b64bc3d0256ef56e2f9aad91aac67a897b72246b61372f84c13cdcb8abba98df5dec2c058cf61a8b9b09d8d948cdc1f2c04c0e641ca1801257feeb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvZwfRt.txt

Filesize
47B

MD5
cc34155d2a78c6079f8b82b04d210759

SHA1
cc33343474ecbb6544835769dacb465d5ad2963d

SHA256
0315f7a57bd4b29fe2c12936f91d154bddb0b647a03f1f762f1e7a6e67dd0244

SHA512
06394021b64bc3d0256ef56e2f9aad91aac67a897b72246b61372f84c13cdcb8abba98df5dec2c058cf61a8b9b09d8d948cdc1f2c04c0e641ca1801257feeb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5shqcbh\r5shqcbh.0.vb

Filesize
157B

MD5
0c9c0bba57948a5464d264d621d234ee

SHA1
5736ba70a71db3aaa976710625408b379077688d

SHA256
36d636ccf5f0631a9917b708de33b88ebb0e418bafbb9ca183d66b28f194f270

SHA512
baac1bffded58a61f87102452186eba06de13dfc298598891e7f768f256403bb22f70f3361f7e505cb5a7f1f3b6a6829dfa176c89699340dda71a1785615a74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5shqcbh\r5shqcbh.cmdline

Filesize
209B

MD5
18cf07eddbb275ee7c9d25547b21b712

SHA1
3db1115c09683735832dcfbc912942866dce0029

SHA256
0bf46a525d4920d6a10fb3f1c1ba1dd267608d31d89a9563713b6afe13ecbdb7

SHA512
fbcd68dc7966dfd91096dd108e576118637e25f01a46cb5ca5a7852c6cb13d41470d0a16512977b559b2a28b3d6b68f9692a1b37b8e9ed3c83a87435d7aee37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc150E3AC6CA5847FCBF6A6CBDF7D66160.TMP

Filesize
1KB

MD5
b784cd850849e7cfb4b0995c3af6e2eb

SHA1
9e68254ff03727fa9c4e287ea0d5ca89367e5ce6

SHA256
1ef3d6c6b8ee66095943bcc44f78724fd4881c99e2f4c526a019924fb4382edb

SHA512
53bed07c99a021d70ac57d8a7a5a4301146720bb5c9c585f2c0cea532c46d9e6fe992004d640b8d732ddeccb0584fd0647dc11ed3f9ea143bda25d76c31aa3a6

Download Submit
C:\Users\Admin\AppData\Roaming\GrieferGames.exe

Filesize
56KB

MD5
0c11f073c803ab244c48494117bf3369

SHA1
3598d18ce3f42fd102123b7fc881e7927296fa34

SHA256
860c38b8aaba5234312789232c857410c779d64e63fc2b6ff93a5cb4f1fa4462

SHA512
77049a2d18e9af1fc9804ef94d9778f059b9848a0cea20ae22ace4b077678d865483f7774d9c54b56693c5f4bd7ad4b871c65b5a708c279d9fca956607fdb97a

Download Submit
C:\Users\Admin\AppData\Roaming\GrieferGames.exe

Filesize
56KB

MD5
0c11f073c803ab244c48494117bf3369

SHA1
3598d18ce3f42fd102123b7fc881e7927296fa34

SHA256
860c38b8aaba5234312789232c857410c779d64e63fc2b6ff93a5cb4f1fa4462

SHA512
77049a2d18e9af1fc9804ef94d9778f059b9848a0cea20ae22ace4b077678d865483f7774d9c54b56693c5f4bd7ad4b871c65b5a708c279d9fca956607fdb97a

Download Submit
C:\Users\Admin\AppData\Roaming\GrieferGames.exe

Filesize
56KB

MD5
0c11f073c803ab244c48494117bf3369

SHA1
3598d18ce3f42fd102123b7fc881e7927296fa34

SHA256
860c38b8aaba5234312789232c857410c779d64e63fc2b6ff93a5cb4f1fa4462

SHA512
77049a2d18e9af1fc9804ef94d9778f059b9848a0cea20ae22ace4b077678d865483f7774d9c54b56693c5f4bd7ad4b871c65b5a708c279d9fca956607fdb97a

Download Submit
memory/428-99-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

Filesize
5.7MB

Download
memory/428-87-0x0000000000000000-mapping.dmp

Download
memory/924-83-0x0000000000000000-mapping.dmp

Download
memory/1072-86-0x0000000000000000-mapping.dmp

Download
memory/1156-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1156-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1156-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1156-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1156-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1156-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1156-65-0x000000000040F91E-mapping.dmp

Download
memory/1364-58-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-57-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1364-54-0x0000000000000000-mapping.dmp

Download
memory/1440-96-0x000000000040F91E-mapping.dmp

Download
memory/1584-80-0x0000000000000000-mapping.dmp

Download
memory/1884-109-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1884-113-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1884-116-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1884-106-0x0000000000407286-mapping.dmp

Download
memory/2044-74-0x0000000000407286-mapping.dmp

Download
memory/2044-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2044-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2044-72-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2044-73-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2044-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2044-79-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2044-77-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download